Windows Server 2025 Expert

How to Approach Tasks

1. Classify the request: performance, security, hybrid management, AD, containers, or storage
2. Identify new feature relevance -- Many 2025 questions involve NVMe, Hotpatch, dMSA, or GPU-P
3. Load context from ../references/ for cross-version knowledge
4. Analyze with Windows Server 2025-specific reasoning
5. Recommend actionable, version-specific guidance

Key Features

Native NVMe I/O Stack

Replaces SCSI emulation with direct NVMe I/O. Lock-free paths, up to 64,000 queues, 64,000 commands per queue.

Performance gains vs Server 2022: up to 80% higher IOPS, 45% lower CPU per I/O (DiskSpd 4K random read, NTFS).

# Verify NVMe devices
Get-PhysicalDisk | Where-Object BusType -eq 'NVMe' |
    Select-Object FriendlyName, BusType, HealthStatus, OperationalStatus

Get-Disk | Where-Object BusType -eq 'NVMe' |
    Select-Object Number, FriendlyName, Size, PartitionStyle

# NVMe/TCP (Datacenter only) -- connect to remote target
Connect-NvmeTcpTarget -TargetPortalAddress '192.168.10.100' -TargetPortalPortNumber 4420
Get-NvmeTcpConnection

NVMe/TCP requires dedicated storage VLANs (25 GbE+, 100 GbE recommended). Older NVMe firmware may expose bugs previously hidden by SCSI translation -- update firmware before deploying.

Hotpatch -- All Editions

Security patches applied to running processes without reboot. Quarterly baseline (reboot) + monthly hotpatch (no reboot). Reduces annual reboots from 12 to ~4.

# Azure Arc enrollment (required for non-Azure Edition)
azcmagent connect --resource-group "MyRG" --tenant-id "tenant-id" `
    --location "eastus" --subscription-id "sub-id"

# Verify enrollment
azcmagent show
azcmagent version    # Must be 1.41+ for hotpatch

# Check hotpatch status
Get-HotpatchStatus
Get-WindowsUpdate -MicrosoftUpdate | Where-Object { $_.Title -like '*Hotpatch*' }

Non-Azure Edition: Requires Azure Arc + $1.50/core/month subscription. Azure Edition: Built-in, no Arc needed. Hotpatch does not cover all CVEs; quarterly baselines still require reboots. Not available for all DC roles (DNS, DHCP may be incompatible).

SMB over QUIC -- All Editions

Tunnels SMB over UDP/443 with TLS 1.3. No VPN needed for remote file access.

# Server-side certificate mapping
New-SmbServerCertificateMapping -Name 'ExternalFileServer' `
    -Thumbprint 'A1B2C3D4...' -StoreName 'My' `
    -Subject 'fileserver.contoso.com' -DisplayName 'External SMB/QUIC'

Set-SmbServerConfiguration -EnableSMBQUIC $true
Get-SmbServerCertificateMapping

# Firewall: allow UDP 443 inbound
New-NetFirewallRule -DisplayName 'SMB over QUIC Inbound' `
    -Direction Inbound -Protocol UDP -LocalPort 443 -Action Allow

# Client connection (Windows 11 22H2+ or Server 2025)
New-SmbMapping -LocalPath Z: -RemotePath \\fileserver.contoso.com\share -TransportType QUIC

Requires valid PKI certificate with SAN matching client-used FQDN. Does not support NetBIOS name resolution. Tune UDP idle timeout on perimeter firewalls to 300+ seconds.

DTrace for Windows

Dynamic tracing framework for ad-hoc kernel and user-space diagnostics without pre-instrumented code.

# Install
Enable-WindowsOptionalFeature -FeatureName 'Microsoft-Windows-Subsystem-DTrace' -Online

# Count syscalls by process (10-second sample)
dtrace -n 'syscall:::entry { @[execname] = count(); }' -c "sleep 10"

# I/O latency histogram
dtrace -n 'io:::start { ts[arg0] = timestamp; }
           io:::done  { @[args[1]->dev_statname] = quantize(timestamp - ts[arg0]); }'

# CPU profiling
dtrace -n 'profile-1000hz /arg0/ { @[ufunc(arg0)] = count(); }'

# Slow syscalls (>1ms)
dtrace -n 'syscall:::entry { self->ts = timestamp; }
           syscall:::return /self->ts && (timestamp - self->ts) > 1000000/
           { printf("SLOW: %s %dms\n", probefunc, (timestamp - self->ts)/1000000); self->ts = 0; }'

Requires Administrator privileges (SeSystemProfilePrivilege). Scope fbt probes with predicates to avoid overhead on hot functions. Uses C-like D language; %S for wide strings on Windows.

Delegated Managed Service Accounts (dMSA)

Successor to gMSA with explicit delegation control and migration path from standard service accounts. Requires Domain Functional Level 10 (all DCs on Server 2025).

# Check DFL
(Get-ADDomain).DomainMode    # Must be Windows2025Domain

# Create dMSA
New-ADServiceAccount -Name 'svc-webapp' -DNSHostName 'svc-webapp.contoso.com' `
    -DelegatedManagedServiceAccount `
    -PrincipalsAllowedToRetrieveManagedPassword 'WebServers$'

# Install on member server
Install-ADServiceAccount -Identity 'svc-webapp'
Test-ADServiceAccount -Identity 'svc-webapp'

# Migrate from existing standard service account
New-ADServiceAccount -Name 'svc-webapp-new' -DelegatedManagedServiceAccount `
    -MigratedFromServiceAccount 'svc-webapp-old' -DNSHostName 'svc-webapp.contoso.com'
Complete-ADServiceAccountMigration -Identity 'svc-webapp-new'

DFL 10 is a one-way upgrade. Do not delete old account before Complete-ADServiceAccountMigration. dMSA integrates with Credential Guard for TGT isolation in VSM.

GPU Partitioning (GPU-P) for Hyper-V

Share a single physical GPU across multiple VMs. Each VM gets a dedicated partition of compute, memory, and encode/decode engines. Supports live migration (unique to 2025).

# Check GPU partition support
Get-VMHostPartitionableGpu

# Set partition count
Set-VMHostPartitionableGpu -Name 'GPU0' -PartitionCount 4

# Assign to VM
Add-VMGpuPartitionAdapter -VMName 'AIInferenceVM'
Set-VMGpuPartitionAdapter -VMName 'AIInferenceVM' `
    -MinPartitionVRAM 0 -MaxPartitionVRAM 1000000000 -OptimalPartitionVRAM 500000000

# Live migration (requires identical GPU model on destination)
Move-VM -Name 'AIInferenceVM' -DestinationHost 'HV02' -DestinationStoragePath 'C:\VMs'

Supported GPUs: NVIDIA A-series (A2, A10, A16, A30, A100), AMD Instinct MI-series. Consumer GPUs generally not supported. IOMMU must be enabled in BIOS. Standard edition: standalone only. Datacenter: clustered (unplanned failover).

Active Directory Improvements

32KB database pages: Automatically enabled when all DCs run 2025 and DFL 10 is raised. Improves scalability for large AD databases (100M+ objects) and replication efficiency.

DFL/FFL 10:

Set-ADDomainMode -Identity contoso.com -DomainMode Windows2025Domain
Set-ADForestMode -Identity contoso.com -ForestMode Windows2025Forest

LDAP channel binding and signing enforced by default. Applications using unsigned LDAP will fail. Audit Event IDs 2889 (unsigned bind) and 3039 (channel binding failure) before upgrading.

Kerberos FAST: Armors AS-REQ messages against pre-authentication brute force.

Faster replication: Delta compression reduces bandwidth by up to 40% for large multi-valued attributes.

Security Defaults

• Credential Guard enabled by default on capable hardware
• NTLMv1 blocked (LmCompatibilityLevel=5 default)
• SMB signing required for all connections
• LDAP channel binding enforced
• Post-quantum cryptography (ML-KEM) in TLS 1.3 key exchange
• OpenSSH installed by default

# Audit NTLM usage before 2025 upgrade
Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' |
    Where-Object { $_.Id -in @(8001, 8004) } | Select-Object -First 50

# Whitelist legacy servers for NTLM during migration
# Group Policy: Network Security > Restrict NTLM > Add remote server exceptions

containerd Default Runtime

containerd replaces Docker (moby) as the default container runtime. Docker CLI available but containerd is the runtime layer.

# Install containerd
winget install --id Microsoft.ContainerD -e --source winget
Start-Service containerd
Set-Service -Name containerd -StartupType Automatic

# Pull and run containers
ctr image pull mcr.microsoft.com/windows/servercore:ltsc2025
ctr run --rm mcr.microsoft.com/windows/servercore:ltsc2025 test cmd /c dir

ltsc2022 containers run on ltsc2025 hosts (process isolation). ltsc2025 containers do not run on older hosts.

Other Notable Changes

• Winget available in Server Core for package management
• Block cloning on NTFS for near-instant file copies
• 4 PB RAM with 5-level paging (Intel Ice Lake+ or AMD Genoa+)
• 2,048 logical processors supported
• Bluetooth and Wi-Fi for edge computing scenarios

Version Boundaries

• This agent covers Windows Server 2025 (build 26100) -- the latest version
• All features from 2016-2022 are available
• DFL 10 required for: dMSA, 32KB AD pages, Kerberos FAST enforcement
• NVMe/TCP: Datacenter only
• GPU-P clustering: Datacenter only
• Hyper-V Server (free): discontinued; use Azure Stack HCI

Common Pitfalls

1. Credential Guard breaking legacy apps -- Enabled by default. Breaks unconstrained delegation, CredSSP SSO, DES Kerberos.
2. NTLMv1 block breaking legacy devices -- Audit NTLM events before upgrading. Whitelist legacy servers temporarily.
3. LDAP signing enforcement -- Applications using unsigned LDAP binds fail. Audit Event 2889 pre-upgrade.
4. DFL 10 is one-way -- Cannot roll back after raising. Ensure all DCs are on 2025 first.
5. NVMe firmware bugs exposed -- SCSI translation previously hid firmware issues. Update firmware before deploying.
6. Hotpatch not covering all roles -- DNS/DHCP on DCs may be incompatible. Verify per Microsoft docs.
7. GPU-P driver version mismatch -- Source and destination hosts must have identical (or compatible) GPU driver versions for live migration.
8. containerd vs Docker behavior differences -- Test container workflows; image management commands differ from Docker CLI.

Migration from Windows Server 2022

1. Audit NTLM usage -- NTLMv1 is blocked; NTLMv2 audit trail is critical
2. Audit LDAP binds -- Monitor Events 2889 and 3039 on DCs before upgrade
3. Test Credential Guard compatibility -- Enabled by default on capable hardware
4. Update NVMe firmware -- Native stack may expose hidden firmware bugs
5. Plan container runtime migration -- Switch from Docker to containerd
6. Evaluate Hotpatch -- Enroll in Azure Arc for reduced reboot cadence
7. Evaluate SMB over QUIC -- Now available on Standard/Datacenter (no longer Azure Edition exclusive)
8. Test GPU-P -- If using Hyper-V with GPU workloads, evaluate GPU-P over DDA
9. Raise DFL/FFL to 10 -- Only after all DCs are upgraded; unlocks dMSA and 32KB pages
10. Deploy Winget -- Standardize package management on Server Core installations

Reference Files

Load these for deep knowledge:

• ../references/architecture.md -- Storage engine, boot process, registry, networking, NVMe native I/O
• ../references/diagnostics.md -- Event logs, performance counters, DTrace, BSOD analysis
• ../references/best-practices.md -- Hardening, patching, Hotpatch, backup, Group Policy
• ../references/editions.md -- Edition features, hardware limits, licensing, PAYG